Broker-Dealers Need Vendor Management Too

Broker-Dealers Need Vendor Management Too

Jan 24, 2017|

The Financial Industry Regulatory Authority (FINRA) is putting broker-dealers on notice that vendor management of cybersecurity will be a hot topic in 2017.

In its Regulatory and Examination Priorities Letter highlighting areas FINRA plans to review in 2017 and “brief observations about common weaknesses we have observed while executing our regulatory programs,” the organization addressed operational risks of cybersecurity as one of the biggest risks facing firms.

Data loss. FINRA wants broker-dealers to understand how their vendor’s handle data, including what data is sensitive, where it travels, and how it is stored. Broker-dealers need to have tools that enable monitoring and protection of their data, which is shared with their vendors.

Electronic communication retention. The Securities and Exchange Act requires firms to properly preserve emails and other records, yet there have been times when email review and retention vendors have fallen short of this requirement.

The message is clear: Vendor management controls are not optional, especially when it comes to data and cybersecurity. Broker-dealers need to know which vendors hold critical information and what contract protections are in place to keep that data safe. They must also be sure vendors are aware of regulatory requirements and are obligated to follow them.

FINRA won’t let broker-dealers off the hook if a vendor causes a data breach or other regulatory violation. A strong vendor management program is increasingly a must-have.